Authentication and authorization

[cpfeiffer]

Thanks a lot for neogrok, I love it!

In a corporate setting, it may be required to provide the search interface behind authentication and even further, to provide search results, based on the authenticated user's permissions to the git repositories being indexed by zoekt.

If this is of any interest to you, you could have a look at our implementation at https://github.com/GEBIT/neogrok/commits/gebit/ (beware, JS and SvelteKit rookies here).

In order to handle permissions at the repository level, we made a custom version of zoekt, which additionally gets information about the users + their repository permissions, and the user doing the search.

[isker]

Cool. I have left auth up to a reverse proxy sitting in front of neogrok in my own deployments, but that does not allow for this kind of granular auth at all.

[cpfeiffer]

Good point, one could implement this e.g. with apache mod-openidc and rely on the RemoteUser header being set. Only passing that value to zoekt would be needed.

[zachelnet]

@cpfeiffer
I was wondering, why did you implement ACL directly in the search engine? I thought it would be enough to implement this via search query, as described there design.md#gerritgitiles-integration?